Re: How to hook the system call?

2011-11-28 Thread Jonathan Neuschäfer 
On Mon, Nov 28, 2011 at 02:12:37AM +0100, richard -rw- weinberger wrote:

 Please keep in mind that hooking a system call is very bad and error prone.

Sure.

-- Jonathan Neuschäfer

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-27 Thread Jonathan Neuschäfer 
On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote:
 Hello everyone,
 
 I am going to hook a system call like 'read' or 'send' by modifying the
 sys_call_table, but it seems that the sys_call_table is in read only page,
 how can I set modify the sys_call_table ? Or if there any method that I can
 use to hook a system call in module without modify the kernel source?

There's a kernel module for advanced rickrolling that overwrites the
open entry in the syscall table: https://github.com/fpletz/kernelroll

It does some trickery to make the page writable first.

HTH,
Jonathan Neuschäfer

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-27 Thread richard -rw- weinberger 
On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neuschäfer
j.neuschae...@gmx.net wrote:
 On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote:
 Hello everyone,

 I am going to hook a system call like 'read' or 'send' by modifying the
 sys_call_table, but it seems that the sys_call_table is in read only page,
 how can I set modify the sys_call_table ? Or if there any method that I can
 use to hook a system call in module without modify the kernel source?

Please keep in mind that hooking a system call is very bad and error prone.

-- 
Thanks,
//richard

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-27 Thread Geraint Yang 
Thanks for advice !
I am using the LSM framework even though it need recompiling the kernel.
But I will also give a try to the kernelroll module.
Modifying sys_call_table is easier to get error but it can get more freedom
than LSM framework which could only hook on limit hooking points.



On Mon, Nov 28, 2011 at 9:12 AM, richard -rw- weinberger 
richard.weinber...@gmail.com wrote:

 On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neuschäfer
 j.neuschae...@gmx.net wrote:
  On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote:
  Hello everyone,
 
  I am going to hook a system call like 'read' or 'send' by modifying the
  sys_call_table, but it seems that the sys_call_table is in read only
 page,
  how can I set modify the sys_call_table ? Or if there any method that I
 can
  use to hook a system call in module without modify the kernel source?

 Please keep in mind that hooking a system call is very bad and error prone.

 --
 Thanks,
 //richard




-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

How to hook the system call?

2011-11-23 Thread Geraint Yang 
Hello everyone,

I am going to hook a system call like 'read' or 'send' by modifying the
sys_call_table, but it seems that the sys_call_table is in read only page,
how can I set modify the sys_call_table ? Or if there any method that I can
use to hook a system call in module without modify the kernel source?

Thanks!

-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread Alexandru Juncu 
On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote:
 Hello everyone,

 I am going to hook a system call like 'read' or 'send' by modifying the
 sys_call_table, but it seems that the sys_call_table is in read only page,
 how can I set modify the sys_call_table ? Or if there any method that I can
 use to hook a system call in module without modify the kernel source?

 Thanks!

On a 2.6.35 kernel, it worked for me just by changing an entry in the
sys_call_table, within a kernel module.  Something like this:

spin_lock(sys_call_table_lock);
old_sys_calls[sys_call] = sys_call_table[sys_call];
sys_call_table[sys_call] = interceptor;
is_intercepted[sys_call] = 1;
spin_unlock(sys_call_table_lock);

asmlinkage long interceptor(struct syscall_params sp)
{
long sys_call=sp.eax, r=0;
r = old_sys_calls[sys_call](sp);
do_stuff();
return r;
}

--
Alexandru Juncu

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread Daniel Baluta 
On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu alex.ju...@rosedu.org wrote:
 On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote:
 Hello everyone,

 I am going to hook a system call like 'read' or 'send' by modifying the
 sys_call_table, but it seems that the sys_call_table is in read only page,
 how can I set modify the sys_call_table ? Or if there any method that I can
 use to hook a system call in module without modify the kernel source?

 Thanks!

 On a 2.6.35 kernel, it worked for me just by changing an entry in the
 sys_call_table, within a kernel module.  Something like this:

Alex,
I am pretty sure that you are using a hacked version of 2.6.35.

Geraint,
In order to be able to hook a syscall you must do the following:

1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c

extern void* sys_call_table[];
EXPORT_SYMBOL(sys_call_table);

2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
you must have:

.section .data,a
#include syscall_table_32.S

thanks,
Daniel.

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread Alexandru Juncu 
On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta daniel.bal...@gmail.com wrote:
 On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu alex.ju...@rosedu.org 
 wrote:
 On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com wrote:
 Hello everyone,

 I am going to hook a system call like 'read' or 'send' by modifying the
 sys_call_table, but it seems that the sys_call_table is in read only page,
 how can I set modify the sys_call_table ? Or if there any method that I can
 use to hook a system call in module without modify the kernel source?

 Thanks!

 On a 2.6.35 kernel, it worked for me just by changing an entry in the
 sys_call_table, within a kernel module.  Something like this:

 Alex,
 I am pretty sure that you are using a hacked version of 2.6.35.

 Geraint,
 In order to be able to hook a syscall you must do the following:

 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c

 extern void* sys_call_table[];
 EXPORT_SYMBOL(sys_call_table);

 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
 you must have:

 .section .data,a
 #include syscall_table_32.S

 thanks,
 Daniel.


Ah, Daniel is right... I forgot about that part...

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread rohan puri 
On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu alex.ju...@rosedu.orgwrote:

 On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta daniel.bal...@gmail.com
 wrote:
  On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu alex.ju...@rosedu.org
 wrote:
  On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com
 wrote:
  Hello everyone,
 
  I am going to hook a system call like 'read' or 'send' by modifying the
  sys_call_table, but it seems that the sys_call_table is in read only
 page,
  how can I set modify the sys_call_table ? Or if there any method that
 I can
  use to hook a system call in module without modify the kernel source?
 
  Thanks!
 
  On a 2.6.35 kernel, it worked for me just by changing an entry in the
  sys_call_table, within a kernel module.  Something like this:
 
  Alex,
  I am pretty sure that you are using a hacked version of 2.6.35.
 
  Geraint,
  In order to be able to hook a syscall you must do the following:
 
  1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
 
  extern void* sys_call_table[];
  EXPORT_SYMBOL(sys_call_table);
 
  2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
  you must have:
 
  .section .data,a
  #include syscall_table_32.S
 
  thanks,
  Daniel.
 

 Ah, Daniel is right... I forgot about that part...

 ___
 Kernelnewbies mailing list
 Kernelnewbies@kernelnewbies.org
 http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies


You can get the address of the sys_call_table from the /proc/kallsyms and
regarding the read-only section of the this symbol you can re-map the
addresses by making use of vmap api in kernel. This will avoid the need for
the compilation of the kernel. But I would not recommend you to do this.
Their is LSM framework specifically available for this try to see if you
can make use of that.

Regards,
Rohan Puri
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread Geraint Yang 
Hi,
Thank all of you for helping me with problem!
I don't want to modify my kernel source so I am trying to learn to use LSM
security hook even though it seems that it couldn't hook all the system
calls, I think it should be enough for me.
Thanks again!



On Wed, Nov 23, 2011 at 8:02 PM, rohan puri rohan.pur...@gmail.com wrote:



 On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu alex.ju...@rosedu.orgwrote:

 On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta daniel.bal...@gmail.com
 wrote:
  On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu 
 alex.ju...@rosedu.org wrote:
  On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang geraint0...@gmail.com
 wrote:
  Hello everyone,
 
  I am going to hook a system call like 'read' or 'send' by modifying
 the
  sys_call_table, but it seems that the sys_call_table is in read only
 page,
  how can I set modify the sys_call_table ? Or if there any method that
 I can
  use to hook a system call in module without modify the kernel source?
 
  Thanks!
 
  On a 2.6.35 kernel, it worked for me just by changing an entry in the
  sys_call_table, within a kernel module.  Something like this:
 
  Alex,
  I am pretty sure that you are using a hacked version of 2.6.35.
 
  Geraint,
  In order to be able to hook a syscall you must do the following:
 
  1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
 
  extern void* sys_call_table[];
  EXPORT_SYMBOL(sys_call_table);
 
  2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
  you must have:
 
  .section .data,a
  #include syscall_table_32.S
 
  thanks,
  Daniel.
 

 Ah, Daniel is right... I forgot about that part...

 ___
 Kernelnewbies mailing list
 Kernelnewbies@kernelnewbies.org
 http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies


 You can get the address of the sys_call_table from the /proc/kallsyms and
 regarding the read-only section of the this symbol you can re-map the
 addresses by making use of vmap api in kernel. This will avoid the need for
 the compilation of the kernel. But I would not recommend you to do this.
 Their is LSM framework specifically available for this try to see if you
 can make use of that.

 Regards,
 Rohan Puri




-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread Alexandru Juncu 
On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com wrote:
 Hi,
 Thank all of you for helping me with problem!
 I don't want to modify my kernel source so I am trying to learn to use LSM
 security hook even though it seems that it couldn't hook all the system
 calls, I think it should be enough for me.
 Thanks again!

I know that AppArmor can hock syscalls like read, write and memory
mapping and can deny or accept them. I am not sure if you can make it
do something else when hocked, but I know it has a script-like
configuration, so maybe you can take some other actions.

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread Geraint Yang 
Hi,
I have tried the LSM framework,but when I make my module , I got
waining:'register_security' undefined, then I check security/security.c
and found out that register_security is not exported ! So if I want to use
this function ,I must hack kernel by exporting and recompiling kernel which
is allowed for me.
So ...well, it seems that LSM doesn't work for module without modifying the
kernel source.



On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu alex.ju...@rosedu.orgwrote:

 On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com
 wrote:
  Hi,
  Thank all of you for helping me with problem!
  I don't want to modify my kernel source so I am trying to learn to use
 LSM
  security hook even though it seems that it couldn't hook all the system
  calls, I think it should be enough for me.
  Thanks again!

 I know that AppArmor can hock syscalls like read, write and memory
 mapping and can deny or accept them. I am not sure if you can make it
 do something else when hocked, but I know it has a script-like
 configuration, so maybe you can take some other actions.




-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread Nuno Martins 
On Wed, Nov 23, 2011 at 6:05 PM, Geraint Yang geraint0...@gmail.com wrote:
 Hi,
 I have tried the LSM framework,but when I make my module , I got
 waining:'register_security' undefined, then I check security/security.c
 and found out that register_security is not exported ! So if I want to use
 this function ,I must hack kernel by exporting and recompiling kernel which
 is allowed for me.
 So ...well, it seems that LSM doesn't work for module without modifying the
 kernel source.



 On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu alex.ju...@rosedu.org
 wrote:

 On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com
 wrote:
  Hi,
  Thank all of you for helping me with problem!
  I don't want to modify my kernel source so I am trying to learn to use
  LSM
  security hook even though it seems that it couldn't hook all the system
  calls, I think it should be enough for me.
  Thanks again!

 I know that AppArmor can hock syscalls like read, write and memory
 mapping and can deny or accept them. I am not sure if you can make it
 do something else when hocked, but I know it has a script-like
 configuration, so maybe you can take some other actions.



If you can hook the system calls, you could try KProbes, is a dynamic
instrumentation, that is used in Linux Kernel.
You could use a JProbe to capture the function parameters of the
instrumented function.

If you have KProbes in your kernel, you can create a module to
instrument the syscall  that you want.
Maybe it can be a starting point for you ...

Other projects that use KProbes are DProbes and SystemTap, you can
also give it a look.


 --
 Geraint Yang
 Tsinghua University Department of Computer Science and Technology


 ___
 Kernelnewbies mailing list
 Kernelnewbies@kernelnewbies.org
 http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies



-- 
Nuno Martins

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: How to hook the system call?

2011-11-23 Thread rohan puri 
On Wed, Nov 23, 2011 at 11:35 PM, Geraint Yang geraint0...@gmail.comwrote:

 Hi,
 I have tried the LSM framework,but when I make my module , I got
 waining:'register_security' undefined, then I check security/security.c
 and found out that register_security is not exported ! So if I want to use
 this function ,I must hack kernel by exporting and recompiling kernel which
 is allowed for me.
 So ...well, it seems that LSM doesn't work for module without modifying
 the kernel source.



 This function is declared as extern in header linux/security.h, you can
include this header in your code and call this function.


 On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu 
 alex.ju...@rosedu.orgwrote:

 On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang geraint0...@gmail.com
 wrote:
  Hi,
  Thank all of you for helping me with problem!
  I don't want to modify my kernel source so I am trying to learn to use
 LSM
  security hook even though it seems that it couldn't hook all the system
  calls, I think it should be enough for me.
  Thanks again!

 I know that AppArmor can hock syscalls like read, write and memory
 mapping and can deny or accept them. I am not sure if you can make it
 do something else when hocked, but I know it has a script-like
 configuration, so maybe you can take some other actions.




 --
 Geraint Yang
 Tsinghua University Department of Computer Science and Technology


 Regards,
Rohan Puri
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies